I have a need to track 2 related events. An object gets tagged if it fails a check. If the failure does not get fixed in 5 days the object is removed. Would there be a way on a multiline chart to shift one of the lines by 5 days? I want to be able to easily look at the chart and see what the difference is between failing whether or not the object gets fixed.
The search is pretty basic. It is actually 2 searchs united with an appendcols both searches end with a "| timechart span=1d count(field)" This produces a 3 column statistics output with _time, failed and removed. which the visualization returns and nice graph but I need to look either 5 days forward or back to see the related event count. Something like this
I was thinking if I could change the query to just return the numbers with out the _time column and then use latest=-5d I could then do the line chart using those values but I am having issues getting just the numbers
The +5d does the trick.. it moves the lines to have the proper relationship. I have 2 items to fix for the graph to look correct. With the shift the 1st 5 days of the modified line is flat. The other issue is since I am playing with the date I think it would be better if I could hide the x-axis label and not show the date.